Compliance Impact

The provided information does not specify how the arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-1078 is an arbitrary file-write vulnerability in the Pega Browser Extension (PBE) that affects Pega Robotic Automation versions 22.1 and R25. This vulnerability occurs when a Robot Runtime user navigates to a malicious website crafted by an attacker. The malicious website contains code that exploits the PBE, potentially allowing the attacker to write arbitrary files on the affected system.

Additionally, there is a related medium-severity vulnerability in all versions of the Pega Browser Extension that can cause unexpected behaviors such as unsolicited message boxes when users visit malicious sites.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a malicious actor to execute arbitrary file writes on your system by tricking a Robot Runtime user into visiting a malicious website. This could lead to compromise of the automation environment, potentially allowing unauthorized modification or insertion of files, which may disrupt operations or lead to further exploitation.

The medium-severity issue may also cause unexpected behaviors such as unsolicited message boxes, which could be used for social engineering or to disrupt user workflows.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the vulnerability in Pega Browser Extension (PBE) affecting Pega Robotic Automation versions 22.1 and R25, it is strongly recommended to update to PBE version 3.1.45 or later.

Additionally, users running R25 should upgrade both Robot Studio and Robot Runtime to version 25.1.13. Users on version 22.1 only need to update the PBE without upgrading Robot Studio or Robot Runtime.

Contacting Pega Support for any questions or concerns is also advised.

Useful 0 Not Useful 0